On November 23, a ransomware attack on the servers of All India Institute of Medical Sciences (AIIMS) in Delhi wreaked havoc on their systems, and all their processes had to go manual. It took over two weeks to get the infected systems online again. But what is more noteworthy is that an attack on India’s most prestigious hospital is only the tip of the iceberg of a much larger problem.

Think about it. A hospital, or any medical institution, has a vast trove of personally identifiable information on people – more sensitive than any other kind of data that may get stolen in a breach. A 2019 report pegged the value of a single healthcare record at $250 – miles ahead of the next most valuable data record, a payment card, which would fetch a bad actor $5.40.

The AIIMS ransomware attack reportedly involves 40 million records, including some belonging to the most powerful people in the country. The value of this data, therefore, goes beyond monetary terms.

A ransomware attack will often not expose data to the public initially. The entity that faces the attack, such as AIIMS, can get locked out of its own systems and data, and there is always the threat of their data getting leaked publicly or on the dark web.

In the case of AIIMS, the attackers encrypted the existing data, and allegedly demanded Rs 200 crore as ransom. While there is no official confirmation of such a demand, it is clear that the medical institution will not be paying the attackers. It is currently in the process of restoring data from backups – which may or may not be updated with the most recent data.

Some servers have been partially restored, but what is more worrying is that the government did not take steps to bolster cybersecurity even after it was brought to the attention of the authorities. Defences are being tightened to prevent any further untoward incidents, but it may be a case of too little, too late.

In a ransomware incident, the loss to the entity under attack is often not tangible. Think of the nightmarish scenario of a manual entry process at a hospital as busy as AIIMS, which treats over 12,000 patients in just its outpatient department. The amount of distress, delays in treatment or even risk to the life of a patient caused by all processes going manual may never be known.

What is more worrying is that there is little to no liability, even in case of an attack as massive as this. In the US, the Health Insurance Portability and Accountability Act (HIPAA) requires regulated entities to comply with its breach notification rule. The UK and Australia also have detailed conditions set out for how to deal with a data breach that includes the loss of protected health information. The UAE also has a clearly defined Health Data Law. The European Union also has a law specifically covering health data.

In India, laws are vague enough that there is no clarity on whether AIIMS is a victim or can actually be held liable for compromising critical data. The recently revised Personal Data Protection Bill specifies the obligations of the data fiduciary and data processor in case of a data breach or ransomware attack. Failure to prevent a personal data breach carries a penalty of up to Rs 250 crore.

The first information report filed for the case refers to sections of the Information Technology (IT) Act, one of which deals with cyber terrorism. The Indian Penal Code’s section dealing with extortion is also invoked. Considering the probe points to China being involved, it seems reasonable.

Given the wealth of data it has, AIIMS can easily be classified as a national database. But what recourse does an average person have if tomorrow the hackers decide to sell parts of this data and it ends in blackmail or misuse of their personal health data? If that sounds far-fetched, what is the value of reputational damage if the hackers or bad actors make the health records of eminent personalities, or past Prime Ministers public?

This incident should be a wake-up call for our authorities. Privacy is non-negotiable.

[This contributory article is authored by KK Mookhey, CEO & Founder of Network Intelligence. The views expressed are solely of the author]